My Secuire UI post will have to be postponed until Monday.  Meanwhile, I got a name for the idea: Phishmark.  I am also planning to write a small downloadable client that implements a simplified version of the idea.  Since I am in the naming mood, I named it PhishGuard.  I'll probably throw other related ideas into that as well over time because phishmarking doesn't cover all the bases.  Until then, so long and thanks for all the phish.

This post is a follow up to the Visual Spoofing post in which I demonstrated a serious visual vulnerability of browsers and alluded to a deeper problem.

Most of the readers who saw the demo thought of it as a hole in the browser code.  Yes, there is a hole in the browser, one that allows scripts to hide and replace key UI components such as the toolbar used to display URL of the page and the statusbar used to display the golden lock.  But there also a hole in our brain, one that people like Diego Doval zeroed in on right away.

You see, the computer screen you are seeing this post with is actually showing just a rectangular array of pixels.  There are no such thing as windows or buttons.  Instead, there are pixel patterns we call windows or buttons.  It is us, the users, who associate the idea of windows and buttons to those patterns of pixels.

From this perspective, a browser window is a rectangular array of pixels under full control of someone else, full control meaning any pattern of pixels can be displayed including those 'sacred' patterns we sees as 'windows' or 'buttons'.  The illusion of depth, used commonly to enforce the concept of overlapping windows, can also be duplicated.

Even if one can't hide the real toolbar and statusbar, clever visual illusions will trick sufficient number of people to make the approach lucrative for crooks.  If you think you can't be fooled, you should visit a magician near you.

The bottom line is that the when you open a browser window, you are also opening a window of vulnerability, a window through which bad guys can trick you into exposing critical secrets such as passwords.  Now expand that scary thought to include software you willingly installed onto your system and you will find yourself hesitating the next time you reach for the power button.

As I mentioned before, I will be discussion a solution to this problem in a post titled 'Secure UI'.  The solution won't close the window, but I believe it shrinks the window size down to, hopefully, an acceptable level.

See Also: Visual Spoofing, Secure UI: Phishmarking

While Microsoft recently patched a URL-based spoofing vulnerability, a whole new class of spoofing exists for browsers: Visual Spoofing.  I have not yet seen any evidence of this type of spoofing actually being done, but I was able to create a demo in less than an hour.

Here is the demo of visual spoofing for IE6 I put together.  Note that the vulnerability is not unique to IE.

The problem with visual spoofing is that it is difficult to fix with a simple patch.  Yes there are ways to fix the problem partially, but I don't see a way to remove the problem completely because hackers can still create a page with images of overlapping windows to distract the clueless user who tend to keep many windows open.

Update:

While thinking about tigers this afternoon, I stumbled onto an idea that could minimize the vulnerability, including the 'deeper problem', down to an acceptable level.  Why was I thinking of tigers?  I have no idea.  Anyhow, I'll post about it in the next day or two (look for a post titled 'Secure UI') after I explain the 'deeper problem'.

Boy, I feel better already.

See Also: Visual Illusions, Secure UI: Phishmarking

According to latest XMLBench results, LibXML2 is the clear winner.  Hopefully, StAX parsers will be included in the benchmark soon.

Final version of Nullsoft Scriptable Install System 2.0 is out.

It looks like Don Norman, Mr. Design of Everyday Things, has another major hit book in his hand: Emotional Design.  I ordered my copy after reading first few paragraphs of the first chapter titled Attractive Things Work Better (245K PDF).

The core idea is this: if it looks good, you can use it more effectively with less confusion than if it didn't look good.  When you think about it, it's obvious.  Even if you are a talented musician, your performance will suffer if you hated playing music.  Of course, it can't be stretched too far.  I remember reading somewhere that, when a woman is too beautiful, one can have, er, physical difficulties.

Here are some alternative news reader UI ideas to consider.  First two are usuable as is, but the rest require quite a bit of polishing and crafting before they can be useful.  I came up with them while I was sitting at a recent workshop after hearing the speaker complain about how boring existing news readers are.

Flashcard UI

News item are displayed on flashcards.  Background color, font size, and number of items per card (1-7), and transition effect should be configurable.  User can navigate forward or backward to next or previous set of headline.  Up or escape to wider view (list of news or sources) should be available.  Fullscreen-mode is essential.

Movie Credit Screen UI

Similar to Flashcard-style UI but visual presentation effects seen commonly in movie opening or closing credit screens are used.  UI should not emphasize more than one news item at one time.  For example, if news items fade or blur in and out then current candidate for further reading should be most noticeable.  Background music and entertaining audio ads can be be used simultaneously.  Again fullscreen-mode is essential.  Screensaver-mode is optional.

Video Game UI

Wild array of UIs are possible here including using news items as prizes, gates, or monsters.

Multiplayer UI

You can see what others are interested in using various UI schemes such as footprints, ranking, etc.

A refined version of these UI might fade in a transparent headline over the screen or in some assigned space for a 'while' when user hasn't moved the mouse or typed anything for certain amount of time.  Since most news one might read using a news reader aren't urgent, you can spread hundreds of headlines over the entire day instead of flooding the reader with large number of popups simultaneously like SharpReader does.

These ideas are just branches off a single idea: news readers as boob tubes for couch potatos.  Instead of overwelming the user with long list of articles and folders, turn it into a linear experience like the TV.  Press the power button to turn it on and just sit back until you see something you like and then press another button to dive in.  Add another button for fast-forward or switch the channel.

Update:

Joe Gregorio points to Trevor Smith's Speed-Reader applet (I couldn't get the applet to run though) and the XFR project.  Interesting.

Update 2:

Finally got the applet working and tried it.  Well, it just doesn't work for me.  Individual words have several meanings which neighboring words help in narrowing down.  Using the Speed-Reader, each word touched off several trails of thoughts so a stream of words in sequence left me disoriented and exasperated because all the thought trails I launched got stranded as I was pulled along by the speed reader.  With my brain in a carefully balanced disarray, I don't want to risk messing it up further with this thing.  Frankly, it gives me the creeps.

W3C finally put its seal of recommendation on XML 1.1 which is going to confuse a lot of people for the years to come.  In essence, it resyncs XML with latest Unicode standard and simplifies aspects of the XML affected by Unicode related changes.  I was one of the folks who called for some of the changes in XML 1.1 (seemingly ages ago), but even I have mixed feelings about the spec.  So it's not surprising that the release of XML 1.1 spec upset a lot of folks out there.

My recommendation for XML application developers is to ignore XML 1.1 until support for XML 1.1 in XML parser implementations is near ubiquitous.  I suspect it will take at least two years to approach that level of availability.  When will it be safe to consider dropping XML 1.0 support?  My optimistic answer is at least seven to ten years from now.  More realistic answer is never.

Another reason for not using XML 1.1 now is that next version of XML is likely to arrive before XML 1.1 is widely adopted.  Why?  Because engineers are like blacksmiths without a hobby.

So please don't panic and do ignore XML 1.1 unless:

• you are an XML parser implementor.
• your application requires use of XML 1.1.
• you have a monopoly.

Update:

Read Dare Obasanjo's post XML 1.1: The W3C Gets It Wrong.  I wonder if Jean Paoli has a blog?

As I try to look ahead of the social networking service market, I see following three trends emerging:

• Specialization – Who's Who in X, Y, and Z.
• Segregation – Invitation-only
• Decentralization – Rich clients (i.e. Groovy) supporting multiple social networking services and richer integration with other social tools such as e-mail and IM.